Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2023, 15:50

General

  • Target

    sample.exe

  • Size

    146KB

  • MD5

    1784d03173fd273f9810be0a48f1f383

  • SHA1

    b4354665152723b9fa6e31f07d155265a1d6e2f6

  • SHA256

    03097f75904007de33f69ec77e02146fe2a0b3d3b2a923640677bb1f46815b07

  • SHA512

    35dad75e13ab4363ee1495e304e58ec11f731da1f8e21ce9690cfd0cff7d77c50f8b9b5584208e315c8cbb71345401e6ffd771427690b2cffcb40b3ec78b7edb

  • SSDEEP

    3072:nyPZHpVIYbQf91G3im/2Ef07Jysgk8vRFHoCj1advu07rr/b/V53SgvB+qMDDpvy:n2HpV+8vnvEu0Xrjt5igvy6Qijx3P

Malware Config

Extracted

Path

C:\ProgramData\Merlin_Recover.txt

Ransom Note
Your ID is: 5F03B352D4822F03 Q: How to contact us? A: Install session messenger from this link : https://getsession.org/download And chat with us. This is our sessions ID: 05752759728f65ca92b3d98fc72500cdb7c5b11eb7b17f7d8afc6b8ecdcbdedf6d OR Contact with these email addresses: [email protected] [email protected] [email protected] ** Make sure to include the ID in the first line of massages or subject of email, otherwise we won�t answer your massages. Q: What's Happened? A: Your files have been encrypted and now have the "Merlin" extension. The file structure has been changed to unreadable format, so they are inaccessible. Your critical information has been downloaded, including databases, financial/developmental, accounting, and strategic documents. Q: How to recover files? A: If you want to decrypt all of your data and return your systems to operative state, you require a decryption tool. We are the only ones who own it, and also, if you want your stolen data will be wiped out from our systems, you better contact us. Q: What about guarantees? A: we decrypt 2 non_important files under 5MB for free (they should not include sensitive information). We will decrypt them and send them back to you. They can be from different computers on your network to be sure that one key can decrypts your whole systems. That is our guarantee. It's just a business and we don't pursue any political objectives. We absolutely do not care about you and your data except the money and our reputation are the only things that matters to us. if we do not do our work and liabilities, nobody will cooperate with us which is not in our interests. Q: How will the decryption process proceed after payment? A: After payment, we will send you our decryption program + detailed instructions for use. With this program, you will be able to decrypt all your encrypted files. *** Important *** 1- certain files that were encrypted but not renamed to "Merlin" extension, they will also be recovered by the decryption tool. 2- If you want the decryption procedure to be effective, DO NOT delete or modify the encrypted files, it will cause issues with the decryption process. 3- Beware Any organization or individual who asserts they can decrypt your data without paying us should be avoided. They just deceive you and charge you much more money as a consequence; they all contact us and buy the decryption tool from us. Q: If you don't want to pay to us? A: it does not matter to us, but you have to accept its consequences: 1- Your data will be leaked for free on TOR darknet and your competitors can have access to your data. 2- We know exactly what vulnerabilities exist in your network and will inform google about them. The money we asked for is nothing compare to all of these damages to your business so we recommend you to pay the price and secure your business. If you pay we will give you tips for your security so it can�t be hacked in the future besides you will lose your time and data cause we are the only ones that have the private key. In practice - time is much more valuable t
URLs

https://getsession.org/download

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (10319) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2592
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2996
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Temp3.tmp"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
        C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
        3⤵
        • Executes dropped EXE
        PID:1452
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
        3⤵
          PID:1236
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Merlin_Recover.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2784
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1208
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:2976
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\Merlin_Recover.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Merlin_Recover.txt

        Filesize

        3KB

        MD5

        64d1b77bb61544c8440363d4374c3c65

        SHA1

        2925f8f71c44185ceb93939c1dba343e1d77d6d6

        SHA256

        9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

        SHA512

        f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

      • C:\Users\Admin\AppData\Local\Temp\Temp3.tmp

        Filesize

        5KB

        MD5

        ab65af4349e7c5b0872c8b808d036980

        SHA1

        414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

        SHA256

        a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

        SHA512

        2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

      • C:\Users\Admin\AppData\Local\Temp\Temp3.tmp

        Filesize

        5KB

        MD5

        ab65af4349e7c5b0872c8b808d036980

        SHA1

        414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

        SHA256

        a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

        SHA512

        2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

      • C:\Users\Admin\Desktop\Merlin_Recover.txt

        Filesize

        3KB

        MD5

        64d1b77bb61544c8440363d4374c3c65

        SHA1

        2925f8f71c44185ceb93939c1dba343e1d77d6d6

        SHA256

        9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

        SHA512

        f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

      • C:\Users\Admin\Pictures\Merlin_Recover.txt

        Filesize

        3KB

        MD5

        64d1b77bb61544c8440363d4374c3c65

        SHA1

        2925f8f71c44185ceb93939c1dba343e1d77d6d6

        SHA256

        9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

        SHA512

        f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

      • C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin

        Filesize

        1.7MB

        MD5

        33ec32822b21688091d34b4773382d00

        SHA1

        67c9aad4e4e461ffbd38fa345a9bd7a40f4693a9

        SHA256

        0c7c69255ec2def27e149731680b544fc3c3f5ef8288a0036de9249f2b685465

        SHA512

        ebdde2f7f5296dc83ad1748a174bd72dc4557f7a65bdbccf84466487e1bea2e4b83110559f7101db10b6e667c6d71db1c764ca232eb3d2a533a5927973a6233f

      • \Users\Admin\AppData\Local\Temp\Temp3.tmp

        Filesize

        5KB

        MD5

        ab65af4349e7c5b0872c8b808d036980

        SHA1

        414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

        SHA256

        a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

        SHA512

        2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679